Intelligent WAN 2.0 principles. Pero Gvozdenica, Systems Engineer, pero.gvozdenica@combis.hr Vedran Hafner, Systems Engineer, vehafner@cisco.

Intelligent WAN 2.0 principles Pero Gvozdenica, Systems Engineer, pero.gvozdenica@combis.hr Vedran Hafner, Systems Engineer, vehafner@cisco.com

Then VS Now

Intelligent WAN: Leveraging the Any Transport Secure WAN Transport and Internet Access Hybrid WAN Transport IPsec Secure Branch MPLS (IP-VPN) Private Virtual Private Direct Internet Access Secure WAN transport for private and virtual private cloud access Leverage local Internet path for public cloud and Internet access Internet Public Increased WAN transport capacity and cost effectively Improve application performance (right flows to right places)

Intelligent WAN Solution Components AVC Internet Private 3G/4G-LTE Virtual Private Branch WAAS PfR MPLS Public Transport Independent Intelligent Path Control Application Optimization Secure Connectivity Consistent operational model Simple provider migrations Scalable and modular design DMVPN IPsec overlay design Application best path based on delay, loss, jitter, path preference Load balancing for full utilization of all bandwidth Improved network availability Performance Routing (PfR) AVC: Application monitoring with Application Visibility and Control Per-tunnel Hierarchical QoS WAAS: Application Acceleration and bandwidth savings WAAS: Intelligent Edge Caching with Akamai Connect Certified strong encryption Comprehensive threat defense with ASA and IOS firewall/ips Web Security (CWS) for scalable secure direct Internet access

Flexible Secure WAN Design Over Any Transport Dynamic Multipoint VPN (DMVPN) Transport-Independent Simplifies WAN Design Easy multi-homing over any carrier service offering Single routing control plane with minimal peering to the provider Flexible Dynamic Full-Meshed Connectivity Consistent design over all transports Automatic site-to-site IPsec tunnels Zero-touch hub configuration for new spokes Secure Proven Robust Security Certified crypto and firewall for compliance Scalable design with highperformance cryptography in hardware Internet WAN ASR 1000 ISR-G2/4xxx MPLS Branch ASR 1000 Data Center

What is Performance Routing (PfR)? Tooling for Intelligent Path Control Performance Routing (PfR) provides additional intelligence to classic routing technologies to track the performance of, or verify the quality of, a path between two devices over a Wide Area Networking (WAN) infrastructure to determine the best egress or ingress path for application traffic... Data Center BR MC BR Cisco IOS technology DSL Cable Two components: Master controller and border router MC+BR Branch

Make Your IWAN Application Aware Add Cisco AVC Users/ Machines Proliferation of Devices Public Private Branch DC/Headquarters No Probes Smart Capacity Planning Business Aligned Privacy Enforcement Cisco AVC Rich data collection using NetFlow v9/ipfix No additional hardware (and included in AX license) Easy to integrate into many reporting tools Better use of costly bandwidth Per-branch and per-application level reporting No need for complex IP and port ACLs See inside HTTP flows to identify specific applications 60% of IT Professionals Cite Performance as Key Challenge for

Cisco WAAS Enhancing User Experience and WAN Efficiency Problem Solution Application latency WAN bandwidth inefficiencies Reduce load Data redundancy elimination (DRE), compression, and TCP optimization Application optimization Fewer protocol messages and metadata caching 4 3 Bandwidth (Mbps) Latency (Seconds) 160 Reduction in bandwidth 120 2 80 Reduction in latency Application bandwidth natively Application bandwidth with Cisco WAAS 1 40 Application latency natively Application latency with Cisco WAAS 0 0 Application Application Bandwidth Latency

Akamai Connect Caching & Prepositioning Caches HTTP Content Prepositioning of internet and Private cloud content, including dynamic URLs like YouTube MPLS (IP-VPN) Private Virtual Private Branch Cached & Prepositioned content improves application response time dramatically Akamai Intelligent Platform Akamai Connect works over WAN and directly from the Internet Public WAAS Optimization + Akamai Connect improves both Private and Public performance

Direct Internet Access What I can do with Internet pipe on Branch?

Intelligent WAN: Secure Connectivity Securing the network and users Secure WAN Transport Branch MPLS (IP-VPN) Private Virtual Private Secure Internet Access Internet Public Two areas of concern Protecting the network from outside threats with data privacy over provider networks Protecting user access to Public and Internet services; malware, privacy, phishing,

Secure Direct Internet Access Web Security (CWS) Branch ISR Connector to CWS Firewall towers WAN2 (Internet) IWAN IPsec VPN for Private Traffic WAN1 (IP-VPN) CWS Private Secure Public and Internet Access Public Web Filtering, Access Policy, Malware Detect Internet

CWS Guest Access CWS Guest Policy Create Guest Filters 13

TrustSec WAN Support Propagation WLC SGACL Finance ISR G2 ASR 1000 ISE MACSec SGT L2 Frame Catalyst Branch Network GET-VPN Nexus 5500 IPSec-VPN Sales Admin DM-VPN Flex-VPN Catalyst 6500 Nexus 7000 Data Center Inline SGT tagging on all ASR1000 and ISR G2 built-in LAN interfaces except 8xx Series Inline tagging between ASR 1000 and ISR G2 for: IPSec DMVPN FlexVPN GET-VPN

Intelligent WAN: An Architectural and Systems Approach IWAN is a Solution Architecture Solves a network problem Use Case Driven Systems Development Approach Prescribed. Tested. Interoperable. Bounded Scope and Complexity Enables Automation and Quality NEW! Delivers Business Outcomes Reduce WAN costs. Increase bandwidth Improve and Protect application performance Direct Internet Access Guest Access Offload IT Simplification (Cost reduction)

Cisco IWAN Management On-Prem Management Specialized Management -Based Management Prime Infrastructure 2.2 / 3.0 End-to-End Assurance of Application Experience Application Aware Network Performance Management Automates Deployment and Lifecycle Management Single-pane view of IWAN IWAN deployment workflows Plug and Play DMVPN, QoS, AVC deployment and monitoring PfR v3 in Q1 2015 License includes IWAN App and APIC- EM controller! Integrates with Cisco AVC and PfR Monitor and analyze application traffic End-to-end flow visualization Flow & App-based Troubleshooting Fix and Verify in Realtime Eliminates manual building of WANs Automated SD-WAN orchestration Centralized hybrid WAN management Quick config updates and IOS upgrades Leverages onepk and REST APIs

Prime Infrastructure 2.2 for IWAN IWAN workflow wizard with PnP Template-based IWAN configs PfRv3 Domain, MC and BR AVC One-Click provision QoS Provisioning Single or Dual Router Branch CVD-based, Customizable AVC Readiness Assessment AVC, QoS, PfR Visibility Leverages APIC EM services

Cisco Prime IWAN Automation and Orchestration Evolution Prime Capacity Planning, Troubleshooting, Change control Traditional Management Systems Cisco IWAN Apps IWAN Transport Security PKI Automation Intelligent Path Control PnP Provisioning Application Experience Partners (future) Apps Evolutio n REST APIs APIC-EM Services (Partial) PKI Svc NetFlow Svc Network Svc Events Svc Inventory Svc PnP Svc APIC-EM OnePK/Openflow Device Abstraction Layer CLI

Q & A 20